Oracle patches Java.com after hacker group notification

The secretive hacker group known as YGN Ethical Hacker Group has done it again, exposing a vulnerability in a vendor website - this time one owned by Oracle - through assessment scanning. YGN says Oracle responded promptly to its notification about the vulnerability it found in www.java.com and fixed the hole.

The secretive hacker group known as YGN Ethical Hacker Group has done it again, exposing a vulnerability in a vendor website - this time one owned by Oracle - through assessment scanning. YGN says Oracle responded promptly to its notification about the vulnerability it found in www.java.com and fixed the hole.

YGN told Network World by email that the Oracle Security Alerts team has thanked it for the information provided about an "arbitrary URL redirect vulnerability" in www.java.com. YGN published advisory information about this vulnerability both on the public SecLists online and the hacker group's own website on Sunday.

Oracle had no immediate comment.

This interaction between YGN and Oracle, which took place over the last week, seems to have followed a far different course than the hacker group's recent interaction with McAfee, which ended last month with YGN disclosing it had found a vulnerability in the McAfee website before the security vendor had fixed it.

YGN contacted McAfee about the cross-site scripting vulnerability it had discovered in February, and when the vulnerability had not been corrected by late March, YGN took the step of disclosing it in public forums such as SecLists in late March.

That created a stir and generated discussion about the ethics of scanning sites for vulnerabilities without the permission of the website owner. In general, there's sentiment that scanning without the owner's permission likely violates US law and may be regarded as an attack on a website. However, comments also indicate some popular support for the idea that the public stands to benefit from website owners fixing website vulnerabilities that are brought to their attention through unauthorised scanning.

Related

YGN, which describes itself as a group of young IT professionals based in Myanmar who prefer to keep their identities secret for the present, argues that security vendors in particular should be doing a better job of maintaining website security. YGN emphasises its action in exposing website vulnerabilities is being undertaken in what it considers an ethical manner, although YGN is aware its scanning activities may run counter to perceived US laws.